Explained: Domain Generating Algorithm

Malicious activity observed in new Top-level domains

While the term top-level domain (TLD) may not be familiar to some, it is a core part of the Domain Name System (DNS) the Internet relies on. Top-level domains (TLDs) refer to the last portion of a domain name. For example, the domain example.com is part of the .COM TLD.

The Internet Corporation for Assigned Names and Numbers (ICANN) is in charge of  TLDs and various matters about them. The picture below shows the evolution of TLDs from the early days until now:


Image courtesy of http://newgtlds.icann.org/en/about/program

Over 300 new TLDs were revealed at ICANN 50 in London earlier this year and many more are expected to be released in the near future as well.

Out of curiosity, we checked our honeypot logs for the past 60 days to see if any malicious activity came from these new TLDs. Here are some of our findings:

  • XYZ
  • CLUB
  • GURU

Exploit Kit activity (Angler EK):

hxxp://alkoholisminflaus.jamesbratton.pictures:37702/0ux6l07aus.php hxxp://aaannnspiderlily.type2.consulting:2578/7wnilfm1fu.php hxxp://cdn.primrosebrentwood.xyz:16122/cars.php hxxp://houseflilaiskan.shuffleboard.club:37702/14h1c20g6g.php hxxp://ajoberouusiminen.bratton.email:2578/tvunihfbe8.php hxxp://bsdmalloc.alternativehealth.solutions:1702/fuiuusmwwh.php hxxp://ahakim-keyedup.domainstreet.domains:2578/0eez5xm9o0.php hxxp://elocatio.blgmusic.company:2578/7jyey0xi6s.php hxxp://gabkstrukturach.jamesbratton.photos:37702/cfeqsoc9e2.php hxxp://aprikoimme.holster.directory:37702/22j2p7u34g.php hxxp://bestamdes1induce.jbod.enterprises:2578/23t42q9cfw.php hxxp://buyelecindkaldt.informationservices.guru:2578/2a6kszjaff.php

It is important to note that the majority of the domains involved were not registered by the bad guys themselves. Instead what we observed are websites whose DNS entries have been hacked and are used for nefarious purposes.

However, this doesn’t mean that cyber crooks won’t jump on the occasion to leverage these new top-level domains. In fact, just a few days ago the Internet Storm Center reported that phishing scams were already using the “.support” TLD.

Some TLDs are more likely to be exploited by the bad guys. For example “.pharmacy” would be a good candidate for spammers pushing various drugs even though there are some restrictions as to who is allowed to register their site.



Jérôme Segura

Principal Threat Researcher